STIGQter STIGQter: STIG Summary: Cisco IOS XE Switch NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

DISA Rule

SV-220565r531084_rule

Vulnerability Number

V-220565

Group Title

SRG-APP-000516-NDM-000336

Rule Version

CISC-ND-001370

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Step 1: Configure the Cisco switch to use an authentication server as shown in the following example:

SW4(config)#radius host 10.1.48.2 key xxxxxx

Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example:

SW4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local

Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication.

SW4(config)#line vty 0 4
SW4(config-line)#login authentication LOGIN_AUTHENTICATION
SW4(config-line)#exit
SW4(config)#line con 0
SW4(config-line)#login authentication LOGIN_AUTHENTICATION
SW4(config-line)#exit
SW4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION

Check Contents

Review the Cisco switch configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local



ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server



radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx



line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION

If the Cisco switch is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Vulnerability Number

V-220565

Documentable

False

Rule Version

CISC-ND-001370

Severity Override Guidance

Review the Cisco switch configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local



ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server



radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx



line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION

If the Cisco switch is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Check Content Reference

M

Target Key

4067

Comments